John Dowdell works at Adobe in San Francisco, reading customer commentary all day. Views are my own; content is stuff that I think other people might find useful.

Clickjacking, reporters

I’ve written on this before, so will just post a reminder here about how reporters may not always be accurate… PCWorld puts it this way today:

Adobe Systems has released a new version of its Flash Player software, fixing a critical security bug that could make the Internet a dangerous place for Web surfers.

The new Flash Player 10 software, released Wednesday, fixes security flaws in Adobe’s multimedia software including bugs that could allow hackers to pull off what’s known as a clickjacking attack, wrote Adobe spokesman David Lenoe in a blog posting.

Actually, David wrote nothing of the sort, as you can confirm by following the link which PCWorld (thankfully!) supplied. This is not a security flaw in Flash; there is not a “Flash bug” to fix.

The changes in Player 10 just prevent the browser’s existing and unpatched clickjacking flaws from affecting the Flash cam/mic dialog. David doesn’t go into details, but it’s something like Player calling out beyond the browser to the operating system to make sure Flash’s pixels are actually displayed, and the browser isn’t letting something else slide in on top to hide the dialog.

Clickjacking is a browser flaw. It is not addressed. (NoScript addresses some implementations but seems a stopgap.) Adobe took the lead in recognizing the issue, and bringing it to the attention of the browser vendors. Adobe has also mitigated the damage the browsers’ clickjacking problems can cause for Flash. But that’s it — the core problem still exists.

I’m glad that Adobe folks recognized the issue early, worked collaboratively on it, and have the first minimizations of the exploit path. But I’m not glad that reporters are saying it’s a Flash issue, just because other reporters said it was a Flash issue.

In Player 10, the permissions dialog for the webcam can’t be hidden by some other browser element, so you can’t be fooled into clicking on it. This will soon be rolled into Player 9, too, for those who need it. That’s all we did. Until the browsers can assure that what you click is what you think you click, and until websites assure that they’re not hosting untrustworthy third-party content, clickjacking in general will still be an issue. Flash is incidental to this whole clickjack story, not its focus.

(That PCWorld article is requesting material from google-analytics.com, quantserve.com, doubleclick.net, yimg.com, digg.com, industrybrains.com, pricegrabber.com, on24.com, and 2mdn.com. The ad networks among them receive files from strangers. Third-party requests like these are not only possible infection vectors for a clickjacking attack, but also enable cross-site surveillance through IP logging. Both browser makers and website owners have work to do to disable clickjacking.)